Password best practices

Passwords are one of the simplest methods to compromise an individual’s digital security. Numerous websites need a minimum of eight characters, including one capital, one lowercase, one numeric, and at least one special character. Using this technique, a password would appear as ‘Pas$w0rd’. This is based on 2011 NIST recommendations.

Regrettably, a sizable number of websites have chosen not to change their password rules to the more recent NIST recommendations. Passwords are often cracked using brute force, guessing (social engineering), malware (keylogging), or a pre-existing list of known usernames and passwords (obtained in previous data breaches and published online).

There are 6.63 quadrillion unique eight-character passwords, and during the 2012 Passwords^12 conference, Jeremi Gosney showed a computer that could crack all 6.63 quadrillion passwords in 5.5 hours. This translates to about 350 billion guesses every second. Since 2012, password cracking has made considerable progress.

Password security may be breached at any time. Always. It just depends on the time and effort required. For instance, the login and password for the majority of people’s routers remain admin/password. It would take about four seconds to enter with no effort.

Password strength is measured in terms of entropy, which is dependent on both the character set used (uppercase, lowercase, digits, and symbols) and the length of the password. Password entropy quantifies the difficulty of cracking a password using guesses, brute force techniques, dictionary attacks, or other ways.

If a password contains digits (0–9), uppercase (A–Z), lowercase (a–z), and special characters (!)£, etc., there are 95 potential combinations. If the password is two characters long, there are 9,025 potential combinations; if the password is three characters long, there are 857,375 possible combinations (and so on, with the equation written as 95^n (where n is the length of the password).

As a species, people make poor password selections. Even if a user selects a “random” password, we all have a preference for particular letters and numbers. This is referred to as “letter frequency,” and it is readily apparent in the word game “Scrabble.” There are more E’s (12) than Q’s (1). Nobody wants to have the Q or the Z. Additionally, humans are notoriously poor at memorizing arbitrary sequences of letters and numbers, so we either write them down (which is a terrible idea for a password) or simplify them.

“Pas$w0rd” is an insecure password since it is easily guessable.

“0ZhY3S6Q” is a less guessable password, but it has the same entropy and is difficult to remember.

Both sample passwords have the same amount of entropy, yet guessing either password would take less than six hours using Gosney’s computer. As a result, none of these passwords are safe.

Password protection

Since you cannot alter the list of allowed characters, you may protect your password by increasing the number of characters in it. This is when the 95^n comes into play, which represents 95 multiplied by the number of characters in your password. The entropy of an (8) eight-character password is calculated as follows:

95 x 95 x 95 x 95 x 95 x 95 x 95 x 95 (and is written as 95^8)

This amounts to a total of 6.63 quadrillion unique passwords. A safer password would be at least 20 characters long (95^20), which equates to a total of 10.24 trillion unique passwords. As a guide:

  • 6,630,000,000,000,000 = 6.63 Quadrillion
  • 10,240,000,000,000,000,000,000,000,000,000,000 = 10.24 Decillion

Using a Gosney machine to crack a twenty-character password could take up to 9,277,379,140 years. Regrettably, the rate at which passwords may be cracked has risen over time, which means that less secure passwords are broken at an increasing rate.

Password managers

It would have taken over 9 billion years for someone to break a single password using Gosney’s 2012 computer utilizing a 20-digit password. This is not, however, the only issue. The chain’s strength is determined by its weakest link. According to court filings, hackers gained access to the Equifax database in 2017 because the database’s username and password were Admin. The industry standard is to use a unique password for each website. However, human nature makes it impossible to remember a single twenty-character password, much less a new twenty-character password for every site.

Fortunately, there is software that eliminates this problem: Password Managers.

A password manager is a piece of software that securely saves all of your safe passwords in an encrypted database that can be accessed only with the right password (which should still be at least twenty characters, but more is better). This may seem to be a flaw in the design, storing all safe passwords in a single location protected by a single password, but this may be mitigated further with the inclusion of Two-Factor Authentication (2FA). For many ways to enable two-factor authentication, a hardware approach is recommended for the sake of security. This is where the hardware device is used to verify that you are the correct account holder and have been granted access (such as a Yubikey).

This ensures that all of your passwords remain secure, encrypted, and easily accessible to you. While this is not completely safe, it is a technique for creating random and lengthy passwords that should be unique for each site you visit.

However, the password manager must be protected with a master password. My trick for creating an easy-to-remember random master password? Open a dictionary to a random page. Close your eyes and press your index finger on the page to choose the closest word. Repeat this procedure four or five more times. This can be used as the master password for your account. This technique is described in detail in an excellent XKCD comic.

To maintain transparency, I use NordPass as my password manager since it is open-source and can be hosted on-premises or in the cloud. I use a Yubikey as my second factor of authentication.

Found this useful? Share with